[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security update of mysql-connector-java



On 20.06.2016 19:41, Markus Koschany wrote:
> On 20.06.2016 19:38, Moritz Muehlenhoff wrote:
>> On Mon, Jun 20, 2016 at 06:48:58PM +0200, Markus Koschany wrote:
>>> Hello,
>>>
>>> I am thinking about to upgrade mysql-connector-java to the latest stable
>>> version in Wheezy and Jessie to address
>>>
>>> https://security-tracker.debian.org/tracker/CVE-2015-2575
>>>
>>> As usual Oracle does not provide concrete information about the
>>> vulnerability or a patch for older versions. On the other hand it is
>>> claimed that the issue is difficult to exploit, probably because users
>>> need to be authenticated. But without further information I rather
>>> hesitate to mark this CVE as a minor issue. Any thoughts?
>>
>> Agreed. I already discussed briefly with ebourg who suggested the same.
>>
>> Can you prepare an update for jessie-security? 
>>
>> Cheers,
>>         Moritz
> 
> Yes, I will do so tomorrow.

Houston, we have a problem. It seems the latest upstream release
requires Java 8 for building JDBC 4. In Jessie even Java 6 was
sufficient. I suggest we ship version 5.1.34 of mysql-connector-java
instead, which should build fine with Java 6/7 and also fix the security
vulnerability. If there is a better way, please let me know.

Regards,

Markus





Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: